The only way to the separate it from the LAN. This means either putting it on its own vLAN or its own physical switch/NIC. Once it is on a different subnet, you can control how the traffic goes out to the internet or LAN. If it has a application FW like Microsoft FW, you could use that, but it could easily be disabled.